The Cryptography API: Next Generation(CNG) is a new and agile framework in Windows Vista™, which implements an extensible provider model that allows you to load a provider by specifying the required cryptographic algorithm rather than having to hardcode a specific provider.
The advantage is that an algorithm provider can be replaced or upgraded and you will not have to change your code in any way to use the new provider. Also, if some algorithm is determined to be unsafe in the future, a more secure version of that algorithm can be installed with no effect to your code. To facilitate this, you load a CNG provider by identifying the cryptographic algorithm that you require, not the specific provider. Most of the CNG APIs require a provider or an object created by a provider.
In this article, I try to describe the new security feature Cryptography API: Next Generation(CNG) and compare it with an RSA and AES samples, both managed and unmanaged, using "Crypto API" (CAPI before Vista) and how it can be implemented using CNG in Windows Vista. Managed version of CNG is yet to come, if you feel like you want more, wait for the next release of Visual Studio "Orcas".
RSA is the established standard for public key encryption. The name RSA is derived from the names of the inventors of this algorithm, which are: Ron Rivest, Adi Shamir and Leonard Adleman. The principle and security of RSA is based on the fact that with today's knowledge, it is not possible to find the prime factors of a big number (n=pq, where p and q are prime numbers) in suitable time.
- Public Key: n=pq (p and q are big prime numbers)
- e relative prime to (p-1)(q-1)
- Private Key: d e-1 mod ((p-1)(q-1))
- Encryption: c = me mod n
- Decryption: m = cd mod n
Advanced Encryption Standard (AES), also known as Rijndael, is a symmetric 128-bit block cipher adopted as an encryption standard by the US government.
- AES operates on a 4×4 array of bytes.
- For encryption, each round of AES (except the last round) consists of four stages: AddRoundKey, Subbytes, Shift rows and Mix columns.
- At each stage, the bytes are manipulated and processed for the next level.
Crytography API: Next Generation(CNG)
CNG provides a set of APIs that are used for performing basic cryptographic operations, such as creating hashes, encrypting, and decrypting data.
Each algorithm class in CNG is represented by a primitive router. Applications making use of the primitive APIs will link to the router binary (Bcrypt.dll in user mode, or Ksecdd.sys in kernel mode), and make calls to the various CNG primitive functions. All of the algorithm primitives are managed by various router components. These routers keep track of each algorithm implementation that has been installed on the system. The router will route each function call to the appropriate primitive provider module.
The following illustration shows the design and function of the CNG cryptographic primitives.
CNG provides primitives for the following classes of algorithms:
- Random Number Generator: This class is used to represent pluggable random number generation (RNG).
- Hashing: This class represents algorithms used for hashing, such as SHA1 and SHA2.
- Symmetric encryption: This class represents algorithms used for symmetric encryption. Some examples are AES, 3DES, and RC4.
- Asymmetric encryption: This class represents asymmetric (public key) algorithms that support encryption, like RSA.
- Signature: This class represents signature algorithms such as DSA and ECDSA. This class can also be used with RSA.
- Secret Agreement: This class represents secret agreement algorithms such as Diffie-Hellman (DH) and elliptical curve Diffie-Hellman (ECDH).